0

as a Linux admin I have root access and there are however many local users specified in /etc/passwd This is in RHEL-8.10 having ENCRYPT_METHOD SHA512 and /etc/security/pwquality.conf is configured appropriately...

is there some acceptable means [via software?] to validate all set passwords are in fact up to some standard of character length and complexity, without actually finding out the set password of an account? To do so as a security sanity check, for example to verify that some test account was made with a password of just a with the password rules temporarily relaxed and then that account+password was forgotten about.

Would also be interested in samba passwords as listed via pdbedit -L for a passdb backend = tdbsam

Improve this question
2
  • 1
    Use a password cracking tool, like "John the ripper". See the Kali explanation https://www.nitttrchd.ac.in/imee/Labmanuals/Password%20Cracking%20of%20Linux%20Operating%20System.pdf Commented Oct 15 at 18:53
  • That's the neat part, you don't.: A correctly-configured /etc/shadow file should have passwords that are hashed or HMAC'ed instead of encrypted which can't be decoded. If that's the case the only way to check it is to try to hack it by hashing some dictionaries until you find a match. Commented Oct 15 at 20:34

2 Answers 2

Reset to default
2

is there some acceptable means [via software?] to validate all set passwords are in fact up to some standard of character length and complexity, without actually finding out the set password of an account?

Not being able to reconstruct such information on the password is the whole point of hashing them with a secure hash function. That's the hash's mathematical "job"!

So, unless your hash is horribly broken (but SHA512 is quite strong, and unlike md4, md5, sha1, it is very unlikely it can be easily reversed in the near future), the quickest possible method here is literally trying all passwords you consider weak ("brute force").

Improve this answer
2

I can think of several ways to ensure all passwords meet standards:

  1. Intercept the password when the user is logging in and verify it, maybe pretend it is expired if it isn't good enough. (I'm not aware of anything that does this currently.)

  2. Intercept the password when the user is changing it and reject it (pwquality.conf configures this and pam_pwquality implements it.)

  3. Run a password cracker on the shadow file and try to guess weak passwords

  4. Expire all passwords on the system that were made before you updated pwquality.conf to force users to change their password to something that meets the standards set there.

Improve this answer
5
  • 1., 2, and 4. do not fulfill the question's requirement of "without actually finding out the set password". Commented Oct 16 at 10:53
  • I think you're wrong. Only 3 finds the set password and 4 certainly does not. And the goal is unreasonable. Commented Oct 16 at 12:06
  • "intercept" in 1. and 2. literally means "capturing while available and looking at it", that is finding out. 4. forces the user to choose a new password, so that it can be intercepted by a password check and also violates looking at the current passwords. Commented Oct 16 at 13:03
  • agreeing on the "unreasonable", but you should probably explain that, otherwise the answer doesn't address the question :) Commented Oct 16 at 13:04
  • I think the other answer does a good job of explaining why it is unreasonable. Commented Oct 16 at 13:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.